CVE-2024-21636: Unescaped View Component Render
Directly concatenating the output of `render_template_for` with a postamble without HTML escaping can lead to Cross-Site Scripting (XSS). The return value of a view component's `#call` method may contain unescaped user input. Use safe wrapper methods such as `safe_render_template_for` that enforce or check for `.html_safe?` on template results.
Provally CuratedPublic repositoryHighMedium confidenceVerifiedApache-2.0
Rubyβ
Rubyβgreprules fetch cve-2024-21636-unescaped-view-component-render --engine opengrepDescription
Directly concatenating the output of `render_template_for` with a postamble without HTML escaping can lead to Cross-Site Scripting (XSS). The return value of a view component's `#call` method may contain unescaped user input. Use safe wrapper methods such as `safe_render_template_for` that enforce or check for `.html_safe?` on template results.
Community feedback
0 signals from signed-in users.
- Useful
- 0
- False positive
- 0
- Metadata
- 0